09/808,720 



-2- 



Amendments to the Claims 

Please amend Claims 1, 4, 13, 14, 15, 20, 23, 31, 32, 33, and 38. The Claim Listing 
below will replace all prior versions of the claims in the application: 

Claim Listing 

1 . (Currently amended) In a computer network, apparatus for mapping data between 
different working data identifier set domains , the apparatus comprising: 

a communication module for establishing a communication connection between a 
sender of one working data identifier set domain and a receiver in a different working 
data identifier set domain; 

a mapping module coupled to the communication module for anonymously 
mapping working data of the one working data identifier set domain to working data of 
the different working data identifier set domain, the working data having (i) a research 
data portion and (ii) an identifier portion related to identifying persons associated with 
the research data portion, an id e ntifi e r portion and a r e search data portion, th e mapping 
module mapping th e id e ntifi e r portion of th e working data in the on e domain to th e 
identifi e r portion of th e working data in th e diff e r e nt domain, the mapping module 
mapping the identifier portion of the working data in the one working data identifier set 
domain to the identifier portion of the working data in the different working data 
identifier set domain such that the working data transmitted to the authorized receiver is 
anonymous data, while leaving the research data portion unmapped by the anonymous 
mapping of the identifier portions ; and 

a secret sharing module for performing secret sharing to control keyholder 
controlling access to the mapping module; 

the apparatus communicating between parties comprising at least the sender and 
the receiver in at least two different working data identifier set domains . 

2. (Original) Apparatus as claimed in Claim 1 wherein the research data portion of the 
working data includes personal data of individuals. 
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3. (Original) Apparatus as claimed in Claim 1 wherein the communication connection is a 
secure communication channel formed by the communication module (i) authenticating 
the sender and receiver, resulting in an authorized sender and authorized receiver, and (ii) 
encrypting working data transmitted over the channel. 

4. (Currently amended) Apparatus as claimed in Claim 3 wherein the mapping module 
employs encryption in the mapping of the identifier portion of the working data in the 
one working data identifier set domain to the identifier portion of the working data in the 
different working data identifier set domain such that the working data transmitted to the 
authorized receiver is anonymous data. 

5. (Canceled) 

6. (Canceled) 

7. (Previously presented) Apparatus as claimed in Claim 1 further comprising permanent 
storage means for storing data in a tamper-proof manner. 

8. (Original) Apparatus as claimed in Claim 7 wherein the permanent storage means 
encrypts non-queried parts of the data, said encryption using an encryption key, and 
the secret sharing module storing the encryption key. 

9. (Original) Apparatus as claimed in Claim 8 wherein the permanent storage means 
employs digital signatures on queried parts of the data to detect changes in data and 
thereby prevent tampering. 

10. (Original) Apparatus as claimed in Claim 9 wherein each digital signature is formed from 
a message digest of a concatenation of the encryption key and data. 
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1 1 . (Original) Apparatus as claimed in Claim 9 wherein the permanent storage means 
maintains a summary measure of stored data. 

12. (Original) Apparatus as claimed in Claim 1 1 wherein said summary measure has a 
respective digital signature. 

13. (Currently amended) Apparatus as claimed in Claim 1 wherein the mapping module 
defines a mapping between any two working data identifier set domains by storing a 
mapping table having cross references between identifier portions of working data of the 
two working data identifier set domains. 

14. (Currently amended) Apparatus as claimed in Claim 13 wherein the mapping module 
stores a mapping table for plural working data identifier set domains, the mapping table 
being formed of (i) an index section and (ii) a working reference section, the index 
section indicating identifier portion of working data in a first subj e ct working data 
identifier set domain and the working reference section indicating corresponding 
identifier portion in a second working data identifier set domain, the working reference 
being encrypted, such that the mapping module performs decryption on a part of the 
mapping table to determine usable cross reference of the working data. 

15. (Currently amended) Apparatus as claimed in Claim 1 wherein the mapping module maps 
working data among plural working data identifier set domains. 

16. (Original) Apparatus as claimed in Claim 1 wherein the sender and receiver are 
respectively one of a software implementation and a human being. 

17. (Original) Apparatus as claimed in Claim 1 wherein connection of the sender and 
receiver is in respective different sessions. 
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1 8. (Original) Apparatus as claimed in Claim 1 wherein the communication module further 
enables communication connection by a supervisor in addition to the sender and receiver. 

19. (Original) Apparatus as claimed in Claim 18 wherein the communication connection by 
the supervisor enables remote operation of the apparatus by the supervisor. 

20. (Currently amended) A method for transferring and mapping data between different 
working data identifier set domains in a computer network, comprising the steps of: 

transmitting working data from a sender in one working data identifier set domain 
to a receiver in a different working data identifier set domain, the working data having (i) 
a research data portion and (ii) an identifier portion related to identifying persons 
associated with the research data portion; an id e ntifi e r portion and a r e s e arch data 
portion; 

anonymously mapping the working data of the one working data identifier set 
domain to working data of the different working data identifier set domain by mapping 
between the identifier portion of the working data in the one working data identifier set 
domain to the identifier portion of the working data in the different working data 
identifier set domain , the mapping between the identifier portions being performed such 
that the working data received by the authorized receiver is anonymous data, while 
leaving the research data portion unmapped by the anonymous mapping of the identifier 
portions ; and 

controlling keyholder access to the mapping using secret sharing. 

21 . (Original) A method as claimed in Claim 20 wherein the step of transmitting includes 
including personal data of individuals in the research data portion. 

22. (Original) A method as claimed in Claim 20 further comprising the step of establishing a 
secure communication connection between the sender and receiver, wherein said secure 
communication connection includes (i) authentication of the sender and receiver, 
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resulting in an authorized sender and authorized receiver, and (ii) encryption of the 
transmitted working data. 

23. (Currently amended) A method as claimed in Claim 22 wherein the step of mapping the 
identifier portions includes encrypting such that the working data received by the 
authorized receiver is anonymous data. 

24. (Canceled) 

25. (Original) A method as claimed in Claim 20 further comprising the step of storing data in 
a tamper-proof manner in a permanent storage. 

26. (Original) A method as claimed in Claim 25 wherein the step of storing includes 
encrypting non-queried parts of the data. 

27. (Original) A method as claimed in Claim 26 wherein the step of storing further includes 
assigning a respective digital signature to each queried part of the data to enable detection 
of changes in the data and thereby prevent tampering. 

28. (Original) A method as claimed in Claim 27 wherein the step of encrypting employs an 
encryption key, and 

the step of assigning includes forming a digital signature from a message digest of a 
concatenation of data and the encryption key. 

29. (Original) A method as claimed in Claim 27 wherein the step of storing working data 
includes maintaining a summary measure of stored data. 

30. (Original) A method as claimed in Claim 29 wherein the step of maintaining a summary 
measure includes assigning a digital signature to the summary measure. 
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31 . (Currently amended) A method as claimed in Claim 20 wherein the step of mapping 
includes storing a mapping table having cross references between the identifier portions 
of the working data of the two working data identifier set domains. 

32. (Currently amended) A method as claimed in Claim 3 1 wherein the step of storing a 
mapping table includes storing a respective mapping table for each working data 
identifier set domain, each mapping table being formed of (i) an index section and (ii) a 
working reference section, the index section indicating identifier portion of working data 
in a first subj e ct working data identifier set domain and the working reference section 
indicating corresponding identifier portion in a second subj e ct working data identifier set 
domain, the working reference being encrypted; and 

decrypting a part of the mapping table to determine usable cross reference of the working 
data. 

33. (Currently amended) A method as claimed in Claim 20 wherein the step of mapping 
includes mapping working data among plural working data identifier set domains. 

34. (Original) A method as claimed in Claim 20 wherein the sender and receiver are 
respectively one of a software implementation and a human being. 

35. (Original) A method as claimed in Claim 20 further comprising the step of establishing a 
communication connection between the sender and receiver where the sender is 
connected in one session and the receiver is connected in a different session. 

36. (Original) A method as claimed in Claim 20 further comprising the step of connecting a 
supervisor to the computer network. 

37. (Original) A method as claimed in Claim 36 further comprising the step of enabling 
remote control by the supervisor. 
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38. (Currently amended) Apparatus as claimed in Claim 1 wherein the identifier portion of 
the working data includes identifiers from plural working data identifier set domains, the 
mapping module mapping multiple identifiers between multiple working data identifier 
set domains for each research portion of the working data. 

39. (Original) Apparatus as claimed in Claim 1 further comprising: 

a secured container; 

a computer system executing the communication module and the mapping module; and 
a firewall coupled to the computer system, the computer system and firewall being 
housed by the secured container so as to provide tamper-proof hardware. 



